As a Systems Administrator, it is always a good security measure to audit your Active Directory accounts on a regular basis. Tools like Netwrix can help automate this process by sending you daily reports. Interactive user accounts should always have passwords follow the password policy. On the other hand, you don’t want a service account password to expire which could cause your applications to stop working.
The good news is that there’s a Powershell command you can run that will export all of the Active Directory accounts that have their passwords set to never expire into a CSV file.
See Whose Active Directory Account Password Is Set To Never Expire
Run the following command in Powershell ISE:
Import-Module ActiveDirectory
Search-ADAccount -PasswordNeverExpires | Select-Object Name,ObjectClass,PasswordNeverExpires | Export-Csv c:tempusers_password_expiration_false.csv
The above command will create a file in C:Temp on the machine you run it on called users_password_expiration_false.csv. The report will include all accounts for interactive users and service accounts, but you can filter the results.
The command will run on the currently associated Active Directory domain. If you want to run it on another domain, just log into a server on that domain and run the same script.
How do you audit user accounts whose passwords are set to never expire? Let us know in the comments below.
I have been using and I can recommend free active directory reporting tool – AD FastReporter Free.
There you can easily get reports like “Users with a password never expire”, “Users that don’t require a password”, “Users that require to change password in next 7 days”, etc.
All report results are saved in the local database so you can view, export them at any time you need.
You can download it here – https://albusbit.com/ADFastReporter.php